Re: "Browserified" stuff

To: debian-devel@lists.debian.org
Subject: Re: "Browserified" stuff
From: Adam Borowski <kilobyte@angband.pl>
Date: Mon, 10 Oct 2016 17:07:08 +0200
Message-id: <[🔎] 20161010150708.GA24663@angband.pl>
In-reply-to: <[🔎] 53849cd8-b586-8e46-4613-084db2371349@tincho.org>
References: <[🔎] 87d1jblx6y.fsf@gkar.ganneff.de> <[🔎] 20161009215612.GA24728@angband.pl> <[🔎] 53849cd8-b586-8e46-4613-084db2371349@tincho.org>

On Mon, Oct 10, 2016 at 03:08:17PM +0200, Martín Ferrari wrote:
> On 09/10/16 23:56, Adam Borowski wrote:
> > Another issue is, as mentioned in the TC discussion, the inability to fix
> > any non-trivial security bugs in stable.  I can't quite imagine the Security
> > Team hunting for a specific old version of grunt and all of its extensive
> > dependencies to rebuild the buggy package.  Such state hits the definition
> > of "contrib" exactly, why not actually use it for this purpose?  Demotion of
> > libjs-handlebars would require changing or demoting two more packages:
> > prometheus and kcov, which would be a hassle but not the end of the world.
> 
> Prometheus being in contrib basically means the work I have done for the
> past year is worthless, as users could as well just grab unofficial
> packages from other places. I am not saying this to justify the mess
> with handlebars, I want to find a solution, but putting this in contrib
> or non-free is not an option for me.

The preferred solution, of course, would be having all that js brouchacha
beaten into shape and packaged.  But, as this hasn't happened for years, I'm
not holding my breath.

But why are you so opposed to contrib?   Packages there _can_ have security
support, it's just not guaranteed[1].  You get almost all the convenience of
being in Debian proper, users just need to enable contrib as it doesn't have
the same level of support -- and usually it's already enabled because of
needing non-free drivers[2].

Yes, it is a shame to be there but it accurately warns users about problems.
I know they're not your fault, but the results are still the same -- most
non-trivial bugs in libjs-handlebars will be prohibitely hard to fix during
the lifetime of stretch.

I believe it's nicer on users to not have prometheus in main in stretch than
to ship it then remove in buster (assuming the promise of "not giving the RC
exception twice" is held, in practice the "very last chance" is extended
indefinitely).

There are some pretty useful packages in contrib, like, say, virtualbox
(handles GUI x86 VMs better than qemu).  It is in contrib only due to a
small part of it being prebuilt (regenerating requires an out-of-Debian
compiler, much like grunt), and that part is not even strictly required!
(It's 8086 BIOS for VMs, these days being EFI-only becomes more and more
acceptable.)

Meow!

[1]. For packages in main users at the very least get a message about
security support for that package ceasing.

[2]. On any modern x86 CPU running without microcode updates means data
corruption bugs.
-- 
A MAP07 (Dead Simple) raspberry tincture recipe: 0.5l 95% alcohol, 1kg
raspberries, 0.4kg sugar; put into a big jar for 1 month.  Filter out and
throw away the fruits (can dump them into a cake, etc), let the drink age
at least 3-6 months.

Reply to:

References:
- "Browserified" stuff
  - From: Joerg Jaspert <joerg@debian.org>
- Re: "Browserified" stuff
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: "Browserified" stuff
  - From: Martín Ferrari <tincho@tincho.org>

Prev by Date: Bug#840319: ITP: mistral-dashboard -- OpenStack Workflow Service - dashboard plugin
Next by Date: Re: "Browserified" stuff
Previous by thread: Re: "Browserified" stuff
Next by thread: Re: "Browserified" stuff
Index(es):
- Date
- Thread